11-19-2002 06:58 AM - edited 03-02-2019 03:00 AM
I have a 2620 as the Internet gateway with the IOS firewall. I have set the ACL on the serial interface to only allow echo-replies, timeouts, unreachables, and source-quench messages. This would imply that echo is denied. When I try to ping the serial interface from a host on the Internet, I get a destination net unreachable reply. Is there a way to make the response be a request timed out?
Running Config
Current configuration : 2450 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname internet-router
!
no logging console
enable secret 5 $1$lXDY$EColL5xiDhpTbrPqrHXIz.
!
ip subnet-zero
!
!
ip name-server 64.30.6.6
ip name-server 64.9.32.6
!
ip inspect audit-trail
ip inspect name RULESOUTBOUND tcp
ip inspect name RULESOUTBOUND udp
ip inspect name RULESOUTBOUND cuseeme
ip inspect name RULESOUTBOUND ftp
ip inspect name RULESOUTBOUND h323
ip inspect name RULESOUTBOUND realaudio
ip audit notify log
ip audit po max-events 100
!
no call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.1.0.5 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect RULESOUTBOUND in
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
description connected to Internet
ip address 64.30.2.242 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip nat outside
encapsulation ppp
no service-module t1 remote-loopback full
service-module t1 remote-loopback payload v54
service-module t1 timeslots 1-8
service-module t1 remote-alarm-enable
no cdp enable
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.1.0.4 25 interface Serial0/0 25
ip nat inside source static tcp 10.1.0.20 80 interface Serial0/0 80
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.2.0.0 255.255.255.0 10.1.0.1
ip route 10.3.0.0 255.255.255.0 10.1.0.1
ip route 10.4.0.0 255.255.255.0 10.1.0.1
ip route 10.5.0.0 255.255.255.0 10.1.0.1
ip route 64.0.0.0 255.0.0.0 64.30.2.241
no ip http server
!
logging trap warnings
logging 10.1.0.4
access-list 1 permit 10.1.0.0 0.0.255.255
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 1 permit 10.4.0.0 0.0.255.255
access-list 1 permit 10.5.0.0 0.0.255.255
access-list 101 permit tcp any host 64.30.2.242 eq www
access-list 101 permit tcp any host 64.30.2.242 eq smtp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any echo
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
gateway
!
!
!
line con 0
exec-timeout 0 0
password 7 09784B0A11
login
line aux 0
line vty 0 4
password 7 09784B0A11
login
11-19-2002 07:29 AM
Try "no ip unreachables" on your Serial 0/0 interface.
Hope that helps,
Don
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: